Solved

Web Services and Encription

Posted on 2002-07-18
6
157 Views
Last Modified: 2010-05-02
I have a few public web methods that can be called by anyone on the internet using SOAP. The only security I've added is a username and password that is embedded in the XML that is passed in as a parameter to the web methods. I want to make my methods more secure by encripting the password, but I don't think that one way encription will do the trick if someone was to intercept my message. The web service has no knowledge of the callers, it only knows to validate the username and password combination.

Any ideas?
0
Comment
Question by:alaplume
  • 4
6 Comments
 
LVL 17

Expert Comment

by:inthedark
ID: 7162523
You could encrypt the password using the Session ID as a key for the encryption engine.

Do you ned a simple encryption engine?
0
 
LVL 17

Accepted Solution

by:
inthedark earned 100 total points
ID: 7162593
I expect that you have a good reason for not using HTTPS?

Here is a simple but effective encrypt/decrypt routine:

Hope this helps.....inthedark... :~)

Option Explicit

Private Sub Form_Load()

Dim m$
Dim l$
Dim password As String

m$ = "Mary had a little lamb"

password = "NICK WAS HERE"
Dim e$

e$ = Encrypt(m$, password)
l$ = Decrypt(e$, password)

If l$ <> m$ Then
   MsgBox "Stupid idea idea does not work"
Else
   MsgBox "Good idea idea it works: " + vbCrLf + m$ + vbCrLf + "Came back to: " + l$, vbExclamation, "First Test"
End If

' now the real test

Dim c As Long
m$ = ""
For c = 0 To 255
   m$ = m$ + Chr$(c)
Next c
l$ = Decrypt(Encrypt(m$, password), password)
If l$ <> m$ Then
   MsgBox "Stupid idea it does not work", vbExclamation, "Second Test"
Else
   MsgBox "Good idea it works very well"
   Me.AutoRedraw = True
   Me.Print "Good idea it works very well"
End If

End Sub


Public Function Encrypt(SourceData As String, password As String) As String

Dim S$
S$ = Space$(Len(SourceData))
If Len(S$) = 0 Then Exit Function

Dim PC As Long
Dim LC As Long

For LC = 1 To Len(S$)
   PC = PC + 1
   If PC > Len(password) Then
       PC = 1
   End If
   Mid$(S$, LC, 1) = Chr(Asc(Mid(SourceData, LC, 1)) Xor Asc(Mid$(password, PC, 1)))
Next

Encrypt = S$

End Function

Public Function Decrypt(EncryptedData As String, password As String) As String

Decrypt = Encrypt(EncryptedData, password)


End Function



0
 
LVL 17

Expert Comment

by:inthedark
ID: 7162660
The problem with using embedded encryption is that the client side needs to encrypt the data which means that you have to embed the encryption source code in the web page.

It would be better to work like pop3 server authentication. How this works is the when the client attaches to the server the server hands the client a number.  The client uses an encryption routine which minces the password and the number together to create a long string.  The server knows which number he gave the client and the client's password so he can encrypt the password in the same way and compare the encrypted result with the result from the client.  I have a C DLL which uses something called MD5. Once encrypted by MD5 I don't think there is a way of decrypting it.

So the only way to make it work is for each client to have an Activex encryption routine like MD5 which is a one way only encryption.

In your case you can generate a new Key for each new session.  A hacker would always be given a new key and therefore could not benefit by sampling the conversation between host and client.

So all you have to do is work out how to save and utilise and ActiveX on each client's system.

I think it would be a lot easier to spend a few dollars and purchase an SSL key from www.verisign.com, (or some other company), you could even create your own SSL key free.

It would be interesting to see other viewpoints on this issue.


0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 28

Expert Comment

by:AzraSound
ID: 7162776
"Build an XMLDOM - Safe DES CryptoStream Class Library in VB.NET"
http://www.eggheadcafe.com/articles/20020315.asp
0
 
LVL 1

Author Comment

by:alaplume
ID: 7212058
As it turns out, I can use https after all!
0
 
LVL 17

Expert Comment

by:inthedark
ID: 7212759
I am glad!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Enums (shorthand for ‘enumerations’) are not often used by programmers but they can be quite valuable when they are.  What are they? An Enum is just a type of variable like a string or an Integer, but in this case one that you create that contains…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now